our ERA server reports that it removed a threat in an e-mail, unfortunately ERA doesn't show the details about the e-mail, like subject, sender, etc. So I check the date and time
and I open up the e-mail log on our external spam filter. It ends up as there is no e-mail for the reported user at that time and all e-mails close to that time are all legit.
I then did a check with a different reported threat and different user, and the same as the other reported threat, no e-mail found at the reported time, and only legit e-mails
close to the reported time. It's like ERA is making up threats. The server where ERA is running on is a domain member, so the time is synchronized with the DC's.
The time on our external spam filter is also checked and both ERA server and spamfilter are showing the correct time. Where is this coming from, and is there a way
to get more information about the e-mail where the threat was removed from ?